Sunday, 2 October 2011

Once our customers start using file integrity monitoring technology as part of a PCI Compliance or other security governance initiative there is often a realization of ‘What the eye doesn't see, the heart doesn't grieve over’

For instance, who knew there were that many file changes associated with a windows update?

We have recently dealt with an interesting project for a Passenger Ferry Operator. After we had been running Change Tracker file integrity monitoring for a few days they noticed repeated, frequent but irregular changes being reported to a couple of DLL files - 'lsprst7.dll' and 'sysprs7.dll', with two associated files 'lsprst7.tgz' and 'sysprs7.tgz'. These reside within the Windows\System32 and/or the SysWOW64 folders

Our customer contact did some research via Google but, despite finding other records of searches for the identity of these files and the reason for the frequent changes (with the trail leading to an Adobe forum thread), no explanation could be found.

A process of elimination exercise to identify the role of the files was suggested – delete the files and see which application breaks, or progressively remove programs from the server and see which one removes the DLLs in question?

It is counterintuitive for DLL files to change and you would be rightly suspicious if you saw this happening on a server. Concerns over mutating malware and polymorphic viruses began to circle.

What's the Solution?

In this instance, thankfully there is a perfectly logical explanation. The files are License Server components for SafeNet ‘Solve’ software (Solve is supplied by The Logic Group, and it provides card holder data encryption for the EPoS software used by this customer) The DLLs are persistence files, used to help detect "Time Tempering" and they change every time the software is accessed and a license check is run.

There are other examples of license key files which regularly change that we are familiar with and although it is initially surprising and of concern to see system files changing, it is ultimately a positive thing.

How can you detect genuinely exceptional file changes if you don’t fully understand how your applications and servers behave under regular operating conditions? Only by employing forensic-level file integrity monitoring and analyzing the results can you begin to get intimate with what ‘good’ looks like, and in turn, what irregular – and potentially damaging - behavior looks like.